Re: [botnets] Why ISP's and NSP's Love Botnets

[Ken Simpson]

To report a botnet PRIVATELY please email: [EMAIL PROTECTED]
--
The only way to get the ISPs to take action is through legislation forcing them 
to do so. And even then such legislation will only make a big impact if it is 
applied globally. The situation is admittedly rather hopeless...

Some tier ones I have spoken with indicate they are preparing to take proactive 
action because they fear upcoming legislation. Without that they say they just 
don't have budget.

Ken



--
Ken Simpson, CEO
MailChannels Corporation
Reliable Email Delivery (tm)
http://www.mailchannels.com  

-Original Message-
From: "James Pleger" <[EMAIL PROTECTED]>

Date: Fri, 21 Sep 2007 20:53:15 
To:PinkFreud <[EMAIL PROTECTED]>
Cc:botnets@whitestar.linuxbox.org
Subject: Re: [botnets] Why ISP's and NSP's Love Botnets


I don't think that ISPs are going to care until there is a business model that 
will make them money(or save it) and not cost them a bunch of money/staff 
overhead.

It costs a great deal to staff an abuse department that knows what they are 
doing, there isn't really any value for the ISP to take down a botted machine 
that is sending spam, unless it is effecting their  core business. 

Just my two cents...

Look at TTNET, they don't do anything about complaints(from what I can tell).


On 9/21/07, PinkFreud <
[EMAIL PROTECTED]  > wrote:To report a botnet 
PRIVATELY please email: 
[EMAIL PROTECTED]  
--
On Fri, Sep 21, 2007 at 10:02:32PM +, John Fraizer babbled thus:

*snip*

> Again, there is no silver bullet.  It is *NOT* the responsibility of the
> providers to force safe computing down the throat of their customers. 

I disagree with this.  By your reasoning, it's not the responsibility
of the university I work for to make sure students don't put infected
machines on the network (we actually take a very proactive approach to 
minimize the number of 'problem' machines we have on the network).

To go back to your earlier analogy of a user enticing Joe Botherder,
you're right - there's little an ISP can do in that case.  But when 
you're talking about machines actively sending out spam/involved in a
DDoS/etc., then yes, it *is* the ISP's responsibility to do something.

I'm not saying an ISP should be watching everything that goes on on 
it's network at all times.  However, when an abuse department is
contacted about a problem machine on the ISP's network, it is most
definitely the ISP's responsibility to investigate, attempt to contact 
the owner, and as a last resort, pull it off the network.

If an ISP weren't to take responsibility for the machines, who would?
The user?  As you pointed out, that's rather unlikely.  :)

The real question is - what do we do with ISPs which ignore abuse 
reports, like Turk Telekom, RDSNet, or QualityNet?


*snip*

> ~john

--
PinkFreud
Chief of Security, Nightstar IRC network
irc.nightstar.net   | 
www.nightstar.net  
Server Administrator - Blargh.CA.US.Nightstar.Net 
 
Unsolicited advertisements sent to this address are NOT welcome.

-BEGIN PGP SIGNATURE- 
Version: GnuPG v1.4.6 (GNU/Linux)

iD8DBQFG9ILObDkJRSE/3qkRAvtpAJoCkSTQTkG+tDphQYrzadZwGWSRuACfYQY2
NavCqdahxVgjMz3i52jrIUc=
=vobv
-END PGP SIGNATURE-

___ 
To report a botnet PRIVATELY please email: [EMAIL PROTECTED]  
All list and server information are public and available to law enforcement 
upon request.

http://www.whitestar.linuxbox.org/mailman/listinfo/botnets 
 

 To report a botnet PRIVATELY please email: [EMAIL PROTECTED]
--
___
To report a botnet PRIVATELY please email: [EMAIL PROTECTED]
All list and server information are public and available to law enforcement 
upon request.
http://www.whitestar.linuxbox.org/mailman/listinfo/botnets

___
To report a botnet PRIVATELY please email: [EMAIL PROTECTED]
All list and server information are public and available to law enforcement 
upon request.
http://www.whitestar.linuxbox.org/mailman/listinfo/botnets

Re: [botnets] Why ISP's and NSP's Love Botnets

[James Pleger]

To report a botnet PRIVATELY please email: [EMAIL PROTECTED]
--Wow, you have my favorite ASNs there :)

I really REALLY hope that there is a time in the near future when I can
submit a complaint to an ISP and have some sort of peace of mind that it
might be acted upon. I am kind of curious if the pressure is because their
networks are being adversely affected by these infections, or if it is
threats from upstream providers...

/me sighs...

On 9/21/07, Paul Ferguson <[EMAIL PROTECTED]> wrote:
>
> -BEGIN PGP SIGNED MESSAGE-
> Hash: SHA1
>
> - -- "James Pleger" <[EMAIL PROTECTED]> wrote:
>
> >I don't think that ISPs are going to care until there is a business model
> >that will make them money(or save it) and not cost them a bunch of
> >money/staff overhead.
> >
> >It costs a great deal to staff an abuse department that knows what they
> >are doing, there isn't really any value for the ISP to take down a botted
> >machine that is sending spam, unless it is effecting their  core
> business.
> >
> >
>
> Perhaps, but the pressure is mounting.
>
> Until that time, we have this:
>
> https://nssg.trendmicro.com/nrs/reports/rank.php?page=1
>
> - - ferg
>
> -BEGIN PGP SIGNATURE-
> Version: PGP Desktop 9.6.3 (Build 3017)
>
> wj8DBQFG9JMRq1pz9mNUZTMRAi87AJ961/RNFtepDJWJ/UVolAaTvMokPACgiHSt
> 3xAOllvZNosx9+WUEWLv4K0=
> =zrci
> -END PGP SIGNATURE-
>
>
> --
> "Fergie", a.k.a. Paul Ferguson
> Engineering Architecture for the Internet
> fergdawg(at)netzero.net
> ferg's tech blog: http://fergdawg.blogspot.com/
>
>
>
>


-- 
James Pleger
p: 623.298.7966
e: [EMAIL PROTECTED]
___
To report a botnet PRIVATELY please email: [EMAIL PROTECTED]
All list and server information are public and available to law enforcement 
upon request.
http://www.whitestar.linuxbox.org/mailman/listinfo/botnets

Re: [botnets] Why ISP's and NSP's Love Botnets

[John Fraizer]

To report a botnet PRIVATELY please email: [EMAIL PROTECTED]
--
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1

PinkFreud wrote:
> On Fri, Sep 21, 2007 at 10:02:32PM +, John Fraizer babbled thus:
> 
> *snip*
> 
> 
>>Again, there is no silver bullet.  It is *NOT* the responsibility of the
>>providers to force safe computing down the throat of their customers.
> 
> 
> I disagree with this.  By your reasoning, it's not the responsibility
> of the university I work for to make sure students don't put infected
> machines on the network (we actually take a very proactive approach to
> minimize the number of 'problem' machines we have on the network).

Two points:

1) Protecting your network != forcing safe computing down the throat of
your "customers."

While _you_ can place infected users into a walled garden which will
provide them "motivation" to clean their infected/compromised machine,
you still can not force the user to practice "safe computing."  You can
make the alternative inconvenient for them but, only the user can make
the conscious decision to not do stupid things.

2) UNI Network != Service Provider Network.

As a UNI Network, you have the ability to place users into a walled
garden without fear of the user "voting with their wallet."  IE; The UNI
gets their money even if the student is walled for the entire school
term.  Add the real threat of litigation on the part of "customers" of
actual service providers (ISP/NSP) who sue the provider for interruption
of business, etc and you can see that while you as a UNI Network may
have several Gb/s worth of transit + I2 capacity, a bunch of 15Ks, 12Ks
and 7600s in your network like the rest of the "big boys", the
customer:provider relationship is completely different.

Even when a customer is in violation of an AUP/TOS, it is a difficult
sale to legal to just admin down the customer facing interface or
otherwise send a "shot across the bow" to get the customers attention.

Our customer-facing folks have brought me into calls where the customer
had to call back via their cellphone - they were unable to complete a
VoIP call because their connection was so saturated with outbound DoS
traffic - and the customer was actually arguing that "there was no way
they were compromised because they didn't run Windows."  This same
customer decided to go the executive escalation path where VPs, SVPs and
C*O's are brought into the mix, threatening litigation, blah blah blah.
 I was eventually able to convince the customer that they did in fact
have compromised machines on their network but only after they
physically disconnected the switch uplink to their compromised servers
and their VoIP miraculously started working again.


> 
> To go back to your earlier analogy of a user enticing Joe Botherder,
> you're right - there's little an ISP can do in that case.  But when
> you're talking about machines actively sending out spam/involved in a
> DDoS/etc., then yes, it *is* the ISP's responsibility to do something.
> 
> I'm not saying an ISP should be watching everything that goes on on
> it's network at all times.  However, when an abuse department is
> contacted about a problem machine on the ISP's network, it is most
> definitely the ISP's responsibility to investigate, attempt to contact
> the owner, and as a last resort, pull it off the network. 

Please don't misunderstand.  I am in no way shape or form stating that
it is not the responsibility of a service provider to actively and
aggressively field complaints.  I'll go one step further and say that in
my opinion, service providers should proactively monitor their networks
for anomolous traffic and vigerously investigate anything that causes
bells and whistles to start going off.  That is not the same thing as
forcing safe computing onto your customers however.

If I had my way, no end-users would be logging into a privlidged account
 on *ANY* platform to do non-admin tasks.  There is absolutely no reason
for a user to have Administrator privlidges while surfing the net,
checking email or chatting on their favorite instant messaging client.

Tell me what percentage of end-users create and *USE* a luser account
and *USE* it vs the default, balls-to-the-wall Administrator privlidge
account on their winblows machine if they received notification that it
was the "smart" thing to do or it was "best current practice"?

> 
> If an ISP weren't to take responsibility for the machines, who would?
> The user?  As you pointed out, that's rather unlikely.  :)
> 

The question that has to be asked before ultimate responsibility can be
established is "Whos machine is it?"

If you're MegaCompany, Inc, the machine could be a server on your
corporate network, a desktop machine at a cubicle or even the laptop of
an outside sales rep who is connecting via VPN.

If you're RackSpace, the machine is yours and the customer pays you for
the ability to utilize the machine.

If you're Cox Cable, the machine most likely belongs to Billy

Re: [botnets] Why ISP's and NSP's Love Botnets

[Paul Ferguson]

To report a botnet PRIVATELY please email: [EMAIL PROTECTED]
--
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1

- -- "James Pleger" <[EMAIL PROTECTED]> wrote:

>I don't think that ISPs are going to care until there is a business model
>that will make them money(or save it) and not cost them a bunch of
>money/staff overhead.  
>
>It costs a great deal to staff an abuse department that knows what they
>are doing, there isn't really any value for the ISP to take down a botted
>machine that is sending spam, unless it is effecting their  core business.
>  
>

Perhaps, but the pressure is mounting.

Until that time, we have this:

https://nssg.trendmicro.com/nrs/reports/rank.php?page=1

- - ferg

-BEGIN PGP SIGNATURE-
Version: PGP Desktop 9.6.3 (Build 3017)

wj8DBQFG9JMRq1pz9mNUZTMRAi87AJ961/RNFtepDJWJ/UVolAaTvMokPACgiHSt
3xAOllvZNosx9+WUEWLv4K0=
=zrci
-END PGP SIGNATURE-


--
"Fergie", a.k.a. Paul Ferguson
 Engineering Architecture for the Internet
 fergdawg(at)netzero.net
 ferg's tech blog: http://fergdawg.blogspot.com/



___
To report a botnet PRIVATELY please email: [EMAIL PROTECTED]
All list and server information are public and available to law enforcement 
upon request.
http://www.whitestar.linuxbox.org/mailman/listinfo/botnets

Re: [botnets] Why ISP's and NSP's Love Botnets

[James Pleger]

To report a botnet PRIVATELY please email: [EMAIL PROTECTED]
--I don't think that ISPs are going to care until there is a business model
that will make them money(or save it) and not cost them a bunch of
money/staff overhead.

It costs a great deal to staff an abuse department that knows what they are
doing, there isn't really any value for the ISP to take down a botted
machine that is sending spam, unless it is effecting their  core business.

Just my two cents...

Look at TTNET, they don't do anything about complaints(from what I can
tell).

On 9/21/07, PinkFreud <[EMAIL PROTECTED]> wrote:
>
> To report a botnet PRIVATELY please email: [EMAIL PROTECTED]
> --
> On Fri, Sep 21, 2007 at 10:02:32PM +, John Fraizer babbled thus:
>
> *snip*
>
> > Again, there is no silver bullet.  It is *NOT* the responsibility of the
> > providers to force safe computing down the throat of their customers.
>
> I disagree with this.  By your reasoning, it's not the responsibility
> of the university I work for to make sure students don't put infected
> machines on the network (we actually take a very proactive approach to
> minimize the number of 'problem' machines we have on the network).
>
> To go back to your earlier analogy of a user enticing Joe Botherder,
> you're right - there's little an ISP can do in that case.  But when
> you're talking about machines actively sending out spam/involved in a
> DDoS/etc., then yes, it *is* the ISP's responsibility to do something.
>
> I'm not saying an ISP should be watching everything that goes on on
> it's network at all times.  However, when an abuse department is
> contacted about a problem machine on the ISP's network, it is most
> definitely the ISP's responsibility to investigate, attempt to contact
> the owner, and as a last resort, pull it off the network.
>
> If an ISP weren't to take responsibility for the machines, who would?
> The user?  As you pointed out, that's rather unlikely.  :)
>
> The real question is - what do we do with ISPs which ignore abuse
> reports, like Turk Telekom, RDSNet, or QualityNet?
>
>
> *snip*
>
> > ~john
>
> --
> PinkFreud
> Chief of Security, Nightstar IRC network
> irc.nightstar.net | www.nightstar.net
> Server Administrator - Blargh.CA.US.Nightstar.Net
> Unsolicited advertisements sent to this address are NOT welcome.
>
> -BEGIN PGP SIGNATURE-
> Version: GnuPG v1.4.6 (GNU/Linux)
>
> iD8DBQFG9ILObDkJRSE/3qkRAvtpAJoCkSTQTkG+tDphQYrzadZwGWSRuACfYQY2
> NavCqdahxVgjMz3i52jrIUc=
> =vobv
> -END PGP SIGNATURE-
>
> ___
> To report a botnet PRIVATELY please email: [EMAIL PROTECTED]
> All list and server information are public and available to law
> enforcement upon request.
> http://www.whitestar.linuxbox.org/mailman/listinfo/botnets
>
>
___
To report a botnet PRIVATELY please email: [EMAIL PROTECTED]
All list and server information are public and available to law enforcement 
upon request.
http://www.whitestar.linuxbox.org/mailman/listinfo/botnets

Re: [botnets] Why ISP's and NSP's Love Botnets

[PinkFreud]

To report a botnet PRIVATELY please email: [EMAIL PROTECTED]
--On Fri, Sep 21, 2007 at 10:02:32PM +, John Fraizer babbled thus:

*snip*

> Again, there is no silver bullet.  It is *NOT* the responsibility of the
> providers to force safe computing down the throat of their customers.

I disagree with this.  By your reasoning, it's not the responsibility
of the university I work for to make sure students don't put infected
machines on the network (we actually take a very proactive approach to
minimize the number of 'problem' machines we have on the network).

To go back to your earlier analogy of a user enticing Joe Botherder,
you're right - there's little an ISP can do in that case.  But when
you're talking about machines actively sending out spam/involved in a
DDoS/etc., then yes, it *is* the ISP's responsibility to do something.

I'm not saying an ISP should be watching everything that goes on on
it's network at all times.  However, when an abuse department is
contacted about a problem machine on the ISP's network, it is most
definitely the ISP's responsibility to investigate, attempt to contact
the owner, and as a last resort, pull it off the network. 

If an ISP weren't to take responsibility for the machines, who would?
The user?  As you pointed out, that's rather unlikely.  :)

The real question is - what do we do with ISPs which ignore abuse
reports, like Turk Telekom, RDSNet, or QualityNet?


*snip*

> ~john

-- 
PinkFreud
Chief of Security, Nightstar IRC network
irc.nightstar.net | www.nightstar.net
Server Administrator - Blargh.CA.US.Nightstar.Net
Unsolicited advertisements sent to this address are NOT welcome.


signature.asc
Description: Digital signature
___
To report a botnet PRIVATELY please email: [EMAIL PROTECTED]
All list and server information are public and available to law enforcement 
upon request.
http://www.whitestar.linuxbox.org/mailman/listinfo/botnets

Re: [botnets] Why ISP's and NSP's Love Botnets

[John Fraizer]

To report a botnet PRIVATELY please email: [EMAIL PROTECTED]
--
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1

J. Oquendo wrote:
> John Fraizer wrote:
> 
>> Carrier grade routers are designed to route (or switch in the case of
>> MPLS) packets at line-rate.  When you start applying ACLs, the
>> performance hit is not trivial - especially when you've got interfaces
>> doing 1-Mpps+ under *normal* load.
> 
> Alright, so let me start again... I stated if NAP's and NSP's contacted
> their customers lowly DS3 guys like me and stated "Look here is what you
> need to do to avoid having your network send out garbage...", imagine
> for a second if a fraction of NAP's started implementing these policies
> how much garbage traffic would be curtailed.
> 

Fergie, do you wanna tell him about BCP38 and how long it's been around
or should I?

Nevermind.  I will: http://www.faqs.org/rfcs/bcp/bcp38.html

Beyond that it's about *user* education and some...er...*MOST* users are
simply unwilling or unable to be educated.  How long have people been
told not to open attachments from unknown senders?  And what is the
primary distribution vector for Storm?

> 
> And how much would it cost for the following:
> 
> Dear Valued Customer,
> 
> Beginning December 2007, we will be asking out customers to help make
> our networks more efficient. We ask that you view a set of pre-defined
> guidelines created by industry experts and implement them on your
> routers and switches. Should you need a assistance please contact us.
> 
> Sincerely,
> Your Provider
> Working to make the Internet Safer.
> 

Sadly, one does not have to show proof or proficiency to purchase a
computer and/or obtain internet connectivity.  You can send all the
letters you want to the customer.  Until it is *PAINFUL* for them, they
are not going to do anything.  The level of pain varies on a case by
case basis.  There is no silver bullet.  Outside of sending out a
competent individual to personally visit every customer and apply (by
force if necessary) the best current practices, patch their operating
systems and applications and watch over their shoulder to prevent them
from doing stupid things like opening unknown attachments or blindly
clicking every link they find on the net, you are not going to clean up
the net.  I ask you, how much is THAT going to cost?  You know that the
USER is not going to pay for it.  As far as they're concerned, there
isn't a problem and if it ain't broke, they're not gonna fix it!



>> I wasn't the one who went out and started talking smack on IRC and
>> invited Joe Botherder to "take his best shot" at me.  It was my
>> misguided customer.
> 
> Its that customer I know I wouldn't want on my network. Even if they did
> pay X over bandwidth I just wouldn't want them.
> 

OK.  Would you want the customer who opened up an attachment in email
which infected them allowing their machine to be used as a proxy for
some miscreant to go on IRC and invite Joe Botherder to "take his best
shot"???  How about the customer who gets infected by downloading the
latest war3z and gets infected and their machine starts scanning the
closest 4 /8's worth of address space, eventually triggering an inbound
DDoS because they tickled some Storm infected hosts in just the right
way?  Oh, no.  We don't want them either.  We only want highly vigilant,
safe browsing, not miscreant attention attracting customers.  Do you
know the problem with that business model?  There are not enough
clued-in customers to go around.



> Is it, I look at this analogy, you go to a car dealer say Nissan,
> purchase your car. Brake problems? I take it back to the dealer. "Oh my,
> did email or call me to say an attacker has the potential to affect the
> GPS and re-route my destination even stop me from getting there. Wow,
> and you even sent me instructions on how to avoid it." Know what, I'd
> appreciate that car dealer. I'd even go tell another Nissan owner, hey
> did you hear the news...

Product defect and user education are not anywhere close to being the
same thing.  The ISP/NSP is doing *exactly* what the customer is paying
for by carrying the packets (good and bad) to/from endpoint to endpoint.
 It is the customers who are becoming infected causing their machines to
send the bad packets.

Is it the responsibility of the car dealer to prevent you from
purchasing the car if you have a history of running into other cars?  No
it isn't.  Is it the responsibility of the car dealer to prevent you
from purchasing the car if you have a history of being the victim in
automobile collisions?  No.  It is the responsibility of the car dealer
to sell you whatever car you desire to purchase and can provide funding for.

A brake problem with a new car would be analogous to a bad piece of
provider issued CPE or a mismatched MTU on a P-t-P circuit.  That's not
what we're talking about here.  We're talking about people who think
that setting cruise control is the same as engaging the auto-pi

Re: [botnets] Why ISP's and NSP's Love Botnets

[J. Oquendo]

To report a botnet PRIVATELY please email: [EMAIL PROTECTED]
--John Fraizer wrote:

> Carrier grade routers are designed to route (or switch in the case of
> MPLS) packets at line-rate.  When you start applying ACLs, the
> performance hit is not trivial - especially when you've got interfaces
> doing 1-Mpps+ under *normal* load.

Alright, so let me start again... I stated if NAP's and NSP's contacted
their customers lowly DS3 guys like me and stated "Look here is what you
need to do to avoid having your network send out garbage...", imagine
for a second if a fraction of NAP's started implementing these policies
how much garbage traffic would be curtailed.

> Go look and see how much a TMS costs.  Now, consider a "medium" sided
> provider with a backbone that covers about 25 states.  How many TMS
> devices does that provider need to deploy?  How much extra capacity does
> that provider need to deploy on their network to be able to divert
> traffic to the "closest" TMS?

And how much would it cost for the following:

Dear Valued Customer,

Beginning December 2007, we will be asking out customers to help make
our networks more efficient. We ask that you view a set of pre-defined
guidelines created by industry experts and implement them on your
routers and switches. Should you need a assistance please contact us.

Sincerely,
Your Provider
Working to make the Internet Safer.

> I wasn't the one who went out and started talking smack on IRC and
> invited Joe Botherder to "take his best shot" at me.  It was my
> misguided customer.

Its that customer I know I wouldn't want on my network. Even if they did
pay X over bandwidth I just wouldn't want them.

> This notion that it is the responsibility of the
> providers to protect their customers is analogous to the two of us
> walking into a bar and you thinking that just because I'm a Marine that
> you can go pick the biggest, baddest mofo in the bar and pick a fight
> with him and it will be my job to fight him *for you*...

Is it, I look at this analogy, you go to a car dealer say Nissan,
purchase your car. Brake problems? I take it back to the dealer. "Oh my,
did email or call me to say an attacker has the potential to affect the
GPS and re-route my destination even stop me from getting there. Wow,
and you even sent me instructions on how to avoid it." Know what, I'd
appreciate that car dealer. I'd even go tell another Nissan owner, hey
did you hear the news...

> It exists.  It's been around for quite some time.
>
> uRPF + RFC1998
>
> And a newer concept:
>
> http://tools.ietf.org/id/draft-marques-idr-flow-spec-04.txt

I meant to make mention of a lot of things. When I rambled on it was
rambling on. It was to make a point, I'm sure there are tons of things a
lowly provider can do maybe they're misguided as you say I am, maybe
some just don't know about these things. How about guidance from the big
boys. How about a template from the industry's experts. How about
guidance from the big boys before its too late:
http://www.darkreading.com/document.asp?doc_id=130745

I sincerely enjoy word for word the learning experience here so please
don't misunderstand my communication at any given time and should you
tell me to STFU I'd respect that too, but I'm trying to understand why
it can't be done and sadly I'm still seeing nothing more then an excuse.
Not from you per-se but overall there is STILL no reason why networks
can't be cleaner.

> The "bad guys" aren't just
> 15-y/o zit-faced punks trying to impress their friends anymore.  It is
> organized crime, terrorists, rogue nations, etc.  These people don't
> have any more of a problem putting a bullet in your head than they do
> sending a ping-flood your way.  For that reason, among others, the
> intelligence gathering and mitigation activities are conducted under the
> cloak of secrecy.  It's all about operational security.
>

Understandable as well and appreciated on the schooling I'm getting.


J. Oquendo
"Excusatio non petita, accusatio manifesta"

http://pgp.mit.edu:11371/pks/lookup?op=get&search=0xF684C42E
sil . infiltrated @ net http://www.infiltrated.net



smime.p7s
Description: S/MIME Cryptographic Signature
___
To report a botnet PRIVATELY please email: [EMAIL PROTECTED]
All list and server information are public and available to law enforcement 
upon request.
http://www.whitestar.linuxbox.org/mailman/listinfo/botnets

Re: [botnets] Why ISP's and NSP's Love Botnets

[John Fraizer]

To report a botnet PRIVATELY please email: [EMAIL PROTECTED]
--
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1

J. Oquendo wrote:
> John Fraizer wrote:
> 
>> Access to ATLAS data is
>> limited to ATLAS partners for multiple reasons, not the least of which
>> being preventing the miscreants from knowing precisely how it is
>> gathered, vetted and redistributed.
> 
> And my further discussions with them didn't entail getting the keys to
> their kingdom's riches. It solely involved processing the IP addresses
> of attackers.
> 

You completely missed the entire concept of "open source intelligence",
didn't you?


>> By limiting the scope of participants in the ATLAS project to known,
>> trusted and highly vetted individuals who are themselves highly invested
>> in the success of the project and who can provide large quantities of
>> high confidence intelligence to the ATLAS project itself, Arbor is
>> taking crucial steps towards circumventing open source intelligence
>> gathering against the project itself.
> 
> Define "trusted individuals" someone who puts enough money in your pocket?
> 

Um, how's this: Not you.   Seriously though, if you have to ask for a
definition, it is painfully obvious that this is beyond the scope of
what can be explained to you.


>> "What?  I've never seen any publicity about NSPs working together to do
>> this and if it's not in the news and being blogged about, it just isn't
>> happening!"
> 
> But who's fault is this? I would love to be able to ramble on my blog
> about contacting provider X and how good they were at addressing the
> issue. I've gone on countless mailing lists and asked "does someone have
> a contact at X provider". (http://www.infiltrated.net/bfOld/) ... A
> simple bruteforcer script which would log information from bruteforce
> attackers. I used to parse that out with sed and awk and contact most
> network operators while in between doing work, etc.
> 
> To this date, the most helpful individual and has been Dave at REN-ISAC.

Dave Monnier and I cross paths pretty much a daily basis.  He's a good
guy and an invaluable resource to the community.  I'm glad he was able
to help you out.  I also hope you'll understand that those of us who do
hold the keys to the kingdom are unlikely to jump out of the shadows
every time some squirrel yells, "Help!  Someone scanned me and set off
my ZoneAlarm!"  We have finite resources to apply to an infinite number
of issues.

While you might consider someone trying to bruteforce ssh on your b0xen
to be a high priority, it falls way below collecting forensics and doing
flow analysis on a child pornography ring or tracking and mitigating
state sponsored cyberterrorism being perpetrated against a DoE site in
my book.


>> You neglected to make your point so, I'll take this time to make mine
> again:
> 
 There is a lot going on in the shadows to combat botnets and other
 miscreant activities that most folks don't have credentials to know
> about.
> 
> I don't disagree with you in fact I wholeheartedly agree there are a lot
>  idiots out there. Some of which I would like to personally introduce to
> the bottom of my Puma's however, there are some of us in the industry
> who do whatever it takes try and make our own networks safe.

Um, I don't recall using the word idiot.  I wasn't belittling anyone.  I
was pointing out that just because you don't know about something going
on doesn't mean that it isn't going on.  The "bad guys" aren't just
15-y/o zit-faced punks trying to impress their friends anymore.  It is
organized crime, terrorists, rogue nations, etc.  These people don't
have any more of a problem putting a bullet in your head than they do
sending a ping-flood your way.  For that reason, among others, the
intelligence gathering and mitigation activities are conducted under the
cloak of secrecy.  It's all about operational security.


~john

-BEGIN PGP SIGNATURE-
Version: GnuPG v1.4.5 (GNU/Linux)
Comment: Using GnuPG with Mandriva - http://enigmail.mozdev.org

iD8DBQFG9C9k+16lRpJszIgRAlXYAJ4pO3qrGqAMaBWzQ16RNKg7O5IN+wCeLRWu
OMF+dFpEcfsvH+rEPVnxOUM=
=TuoV
-END PGP SIGNATURE-
___
To report a botnet PRIVATELY please email: [EMAIL PROTECTED]
All list and server information are public and available to law enforcement 
upon request.
http://www.whitestar.linuxbox.org/mailman/listinfo/botnets

Re: [botnets] Why ISP's and NSP's Love Botnets

[John Fraizer]

To report a botnet PRIVATELY please email: [EMAIL PROTECTED]
--
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1

Jonathan Yarden wrote:
> To report a botnet PRIVATELY please email: [EMAIL PROTECTED]
> --
>>> http://www.infiltrated.net/?p=29
> 
> Although this seems to be yet another conspiracy theorist hard at work,
> there are some interesting issues raised.  Not the least of which is why is
> it that network equipment manufacturers are still doing static rule-based
> access control when clearly a distributed approach could be easily done?
> After all, what is an RBL but a DNS-based distributed access list?
> 

Carrier grade routers are designed to route (or switch in the case of
MPLS) packets at line-rate.  When you start applying ACLs, the
performance hit is not trivial - especially when you've got interfaces
doing 1-Mpps+ under *normal* load.  It is for this reason that most
high-tier providers (read: those with clue) typically use divert routing
to ship traffic that needs "special attention" via a dedicated
mitigation path where it is dropped or scrubbed.  There are products out
there that can do wire-speed scrubbing but *THEY ARE NOT ROUTERS* but
rather purpose-built devices.  The Arbor TMS is one such device.

I'm sure that "sil" is going to pipe up and say, "Well, if they can do
this, why aren't they doing it and if they are doing it, why are they
charging the CUSTOMER to clean up THEIR mess?!"

Go look and see how much a TMS costs.  Now, consider a "medium" sided
provider with a backbone that covers about 25 states.  How many TMS
devices does that provider need to deploy?  How much extra capacity does
that provider need to deploy on their network to be able to divert
traffic to the "closest" TMS?  Who is it that these devices are being
deployed to protect?  I'll answer the last question.  They're deployed
to protect the CUSTOMER.  If the customer wants to enjoy the benefits of
having their inbound 900Mb/s @ 800Kpps attack mitigated by the provider
so the customer can still surf via their fractional DS1, the customer
needs to pony up some money because the provider still has to carry that
900Mb/s of traffic to the scrubbing devices.  It would be far easier for
me to simply null-route the victim (customer) IP address and
redistribute that blackhole via an RFC1998 implementation to all of my
peers to keep the attack traffic off of my network completely.  That
takes the customer out though and they don't want that.

I wasn't the one who went out and started talking smack on IRC and
invited Joe Botherder to "take his best shot" at me.  It was my
misguided customer.  This notion that it is the responsibility of the
providers to protect their customers is analogous to the two of us
walking into a bar and you thinking that just because I'm a Marine that
you can go pick the biggest, baddest mofo in the bar and pick a fight
with him and it will be my job to fight him *for you*...  I hate to tell
you but, if that happend, I would drive you to the hospital and tell the
triage nurse, "My buddy wrote a check with his mouth that his body
couldn't cash.  He's all yours now."  If you got blood on the interior
of my car in the process, I'd make you pay for it.


> Granted, while I don't work for a transit carrier and manage a mere OC-3
> worth of data to a few thousand end-users, it would be nice to have an
> IP-granular "kill-switch" system that I could use to signal an upstream
> router to stop sending data from a network or ASN because it's causing me
> problems.  I can do it already at the host level with a system I fudged
> together, but the data still comes into my network before I can drop it.
> 

It exists.  It's been around for quite some time.

uRPF + RFC1998

And a newer concept:

http://tools.ietf.org/id/draft-marques-idr-flow-spec-04.txt


~john

-BEGIN PGP SIGNATURE-
Version: GnuPG v1.4.5 (GNU/Linux)
Comment: Using GnuPG with Mandriva - http://enigmail.mozdev.org

iD8DBQFG9Ct9+16lRpJszIgRAnNgAJwNClG9GR+v/5fi5teq1FuN3tnLdACggb6g
kS1aFK1hQlA3XJHnZKvBhZw=
=Itto
-END PGP SIGNATURE-
___
To report a botnet PRIVATELY please email: [EMAIL PROTECTED]
All list and server information are public and available to law enforcement 
upon request.
http://www.whitestar.linuxbox.org/mailman/listinfo/botnets

Re: [botnets] Why ISP's and NSP's Love Botnets

[J. Oquendo]

To report a botnet PRIVATELY please email: [EMAIL PROTECTED]
--John Fraizer wrote:

> Access to ATLAS data is
> limited to ATLAS partners for multiple reasons, not the least of which
> being preventing the miscreants from knowing precisely how it is
> gathered, vetted and redistributed.

And my further discussions with them didn't entail getting the keys to
their kingdom's riches. It solely involved processing the IP addresses
of attackers.

> By limiting the scope of participants in the ATLAS project to known,
> trusted and highly vetted individuals who are themselves highly invested
> in the success of the project and who can provide large quantities of
> high confidence intelligence to the ATLAS project itself, Arbor is
> taking crucial steps towards circumventing open source intelligence
> gathering against the project itself.

Define "trusted individuals" someone who puts enough money in your pocket?

> "What?  I've never seen any publicity about NSPs working together to do
> this and if it's not in the news and being blogged about, it just isn't
> happening!"

But who's fault is this? I would love to be able to ramble on my blog
about contacting provider X and how good they were at addressing the
issue. I've gone on countless mailing lists and asked "does someone have
a contact at X provider". (http://www.infiltrated.net/bfOld/) ... A
simple bruteforcer script which would log information from bruteforce
attackers. I used to parse that out with sed and awk and contact most
network operators while in between doing work, etc.

To this date, the most helpful individual and has been Dave at REN-ISAC.
When I was running a brute force list of ssh bots. I would send him
information and he via REN-ISAC would contact the appropriate
individuals to get those networks clean. I did this on my own spare time
somewhat of an "safe network" activist for lack of better terms. If
there was ANYONE who would have helped I would have publicly said thank
you. I wasn't doing it for money, notoriety, I was doing it for the sake
of thinking I could make a difference.

> You neglected to make your point so, I'll take this time to make mine
again:

>>> There is a lot going on in the shadows to combat botnets and other
>>> miscreant activities that most folks don't have credentials to know
about.
>>>

I don't disagree with you in fact I wholeheartedly agree there are a lot
 idiots out there. Some of which I would like to personally introduce to
the bottom of my Puma's however, there are some of us in the industry
who do whatever it takes try and make our own networks safe.

Maybe its me hoping to get some engineer who knows damn well his network
is dirty to perhaps disconnect his user until his user gets cleaned up,
what the solution is, I don't think there is a full(fool)proof solution.
I DO BELIEVE though that if say an NSP was to start holding their
clients responsible, things would be a lot different. If I were a NSP,
NAP, etc. with a couple of /24's and someone on one of them passing bad
traffic, take your money off my system. It wouldn't be worth it to me in
the long run. And this is the part I don't understand, either IT IS
WORTH IT, or companies just like throwing money away.

As for your other comments on my DS3 pricing... Of course its a ripoff,
we've all told management about the pricing... We're just workers the
same as anyone else.


-- 

J. Oquendo
"Excusatio non petita, accusatio manifesta"

http://pgp.mit.edu:11371/pks/lookup?op=get&search=0xF684C42E
sil . infiltrated @ net http://www.infiltrated.net



smime.p7s
Description: S/MIME Cryptographic Signature
___
To report a botnet PRIVATELY please email: [EMAIL PROTECTED]
All list and server information are public and available to law enforcement 
upon request.
http://www.whitestar.linuxbox.org/mailman/listinfo/botnets

Re: [botnets] Why ISP's and NSP's Love Botnets

[Jonathan Yarden]

To report a botnet PRIVATELY please email: [EMAIL PROTECTED]
--
>> http://www.infiltrated.net/?p=29

Although this seems to be yet another conspiracy theorist hard at work,
there are some interesting issues raised.  Not the least of which is why is
it that network equipment manufacturers are still doing static rule-based
access control when clearly a distributed approach could be easily done?
After all, what is an RBL but a DNS-based distributed access list?

Granted, while I don't work for a transit carrier and manage a mere OC-3
worth of data to a few thousand end-users, it would be nice to have an
IP-granular "kill-switch" system that I could use to signal an upstream
router to stop sending data from a network or ASN because it's causing me
problems.  I can do it already at the host level with a system I fudged
together, but the data still comes into my network before I can drop it.

So IMHO this article relates very little to botnets (other than to assign
blame to larger carriers), but it does beg the question of whether an
IP-granular, UDP-based record manager would be a suitable building block for
a distributed firewall system.  The RBL systems are already there.

-- 
Jon

Those who make peaceful revolution impossible will make violent
revolution inevitable.
-- John F. Kennedy
___
To report a botnet PRIVATELY please email: [EMAIL PROTECTED]
All list and server information are public and available to law enforcement 
upon request.
http://www.whitestar.linuxbox.org/mailman/listinfo/botnets

Re: [botnets] Why ISP's and NSP's Love Botnets

[John Fraizer]

To report a botnet PRIVATELY please email: [EMAIL PROTECTED]
--
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1

J. Oquendo wrote:
> 
> You're right I should have posted about Peakflow, I've spoken I've dealt
> with Sunil James in hopes I could create an open source protection
> script based off of Arbor's data for the sake of (drum roll...)
> protecting networks that might not be able to afford Peakflow... Guess
> what... "We're sorry"...: So instead of just talking crap I took the
> time to do what I thought was productive...
> 

And I don't blame them at all.  What part of "Arbor Networks, *INC*
(emphasis on the INC part) is hard to understand?  They are a commercial
entity.  That have spent tons and tons of money developing and deploying
their architecture.  What kind of return on investment are they going to
see if they give away they keys to the kingdom?  Access to ATLAS data is
limited to ATLAS partners for multiple reasons, not the least of which
being preventing the miscreants from knowing precisely how it is
gathered, vetted and redistributed.

In the intelligence business, there is this nifty little thing called
"open source intelligence".  The concept is pretty simple.  Most
non-OPSEC savvy people think for some misguided reason that they can
drop little "hints" while not divulging the whole secret and that it
isn't such a big deal.  They couldn't be more wrong though.

One person "dropping hints" (purposeful or not) is not always going to
drop the same hint.  Before long, he has dropped enough individual
pieces of the puzzle for the adversary to put them together and find out
the big picture.

Typically, there is more than one person dropping hints so, the amount
of time required to put the puzzle together is reduced for the adversary.

The "open source" comes from the fact that the adversary didn't have to
do anything covert to gather the intelligence.  It was provided to them
one puzzle piece at a time by people who didn't see "any harm" in
letting their guard down "just a little bit."  Just like a jugsaw puzzle
 of a boat or airplane though, you don't have to put the whole puzzle
together before you know without a doubt what is in the picture.

By limiting the scope of participants in the ATLAS project to known,
trusted and highly vetted individuals who are themselves highly invested
in the success of the project and who can provide large quantities of
high confidence intelligence to the ATLAS project itself, Arbor is
taking crucial steps towards circumventing open source intelligence
gathering against the project itself.


> 
>> As for "access-list oneliners", if you want to see a router melt down,
>> go ahead and apply an ACL to block that 2 million packets per second,
>> 2Gb/s DDoS heading towards your customer.  Let us know how that works
>> out for ya, OK?
> 
> You missed the point where I rambled on about having NSP's contact their
> downstreams and work with them to mitigate things to a point so where it
> never gets there. If all the big players did that, AT&T, Verizon, BT,
> etc., do you think there would be a such thing as a botnet.
> 

I didn't miss anything.  I work with all three of the providers you
listed above, along with many, many others on a daily basis in *active*
mitigation of nefarious activities across the globe.

"What?  I've never seen any publicity about NSPs working together to do
this and if it's not in the news and being blogged about, it just isn't
happening!"

You don't get to debrief the SEAL teams, Marine Force Recon, the SAS or
the Israeli Commando units either so, I suppose that their clandestine
activities aren't happening either, huh?

> As for the rest of your counterpoints, well taken however I go back to mine:
> 

You neglected to make your point so, I'll take this time to make mine again:

>>
>> There is a lot going on in the shadows to combat botnets and other
>> miscreant activities that most folks don't have credentials to know about.
>>
>>
>> ~John


-BEGIN PGP SIGNATURE-
Version: GnuPG v1.4.5 (GNU/Linux)
Comment: Using GnuPG with Mandriva - http://enigmail.mozdev.org

iD8DBQFG9B83+16lRpJszIgRAlHBAJ9Jq5oNiuIdMAEDR1hbNeHrh6I/9ACdH8id
zP7mKbsTITj7I8Bgm2mC4us=
=A9yV
-END PGP SIGNATURE-
___
To report a botnet PRIVATELY please email: [EMAIL PROTECTED]
All list and server information are public and available to law enforcement 
upon request.
http://www.whitestar.linuxbox.org/mailman/listinfo/botnets

Re: [botnets] Why ISP's and NSP's Love Botnets

[J. Oquendo]

To report a botnet PRIVATELY please email: [EMAIL PROTECTED]
--John Fraizer wrote:

> OK. If a service provider (ISP/MSP/*SP) is buying bandwidth based on
> data transferred vs raw line rate of the transport medium, there are two
> words to describe that provider: "Mom & Pop".  It is just that simple.

Regardless of mom and pop how about calling them "a customer" regardless
if they're paying you 1,000.00 or 1,000,000.00

> The overwhelming majority of malware we're seeing is not sourcing from
> RFC1918 space and much of it is intelligent enough not to scan into
> RFC1918 space and while I agree that RFC1918 should not ever make it
> past the CPE, let alone the customer aggregation router, access-lists
> are not where it's at.

Filtering was used as an example and I didn't want to add bogon's
because of the arguments behind them. I could have added RBL's SORBS,
etc., and filtering and acronyms until my face turned blue. It was
posted as a briefer... There is something that can be done.

> The use of uRPF in strict mode on customer
> facing interfaces would be a nice start though.  Strange that the author
> has so much supposed experience but they leave the most easily
> implemented filtering option out of their critique.

See above

> As for using ip audit and ip cef, they have their place but, any
> respectable provider is going to be collecting netflow exports from
> their routers and doing automated analytics on that flow information
> using any one of several publicly available netflow collectors - perhaps
> even augmented by a commercial solution such as the Arbor PeakFlow SP.

You're right I should have posted about Peakflow, I've spoken I've dealt
with Sunil James in hopes I could create an open source protection
script based off of Arbor's data for the sake of (drum roll...)
protecting networks that might not be able to afford Peakflow... Guess
what... "We're sorry"...: So instead of just talking crap I took the
time to do what I thought was productive...

The ATLAS Initiative wrote:
> Jesus,
>
> Are you looking to do this for your own managed devices, or for
devices you manage for customers?
>
> Sunil
>
> 
> Sunil James | [EMAIL PROTECTED]
> Product Manager
> Arbor Networks Inc. | http://www.arbor.net
> 734.821.1460 work | 734.327.9048 fax
> PGP KeyID: 0xA18E302F
> 
>
>
> On Jun 8, 2007, at 1:27 PM, J. Oquendo wrote:
>
>> The ATLAS Initiative wrote:
>>> Dear Jesus,
>>>
>>> Thank you for expressing interest in ATLAS. Today, only select ATLAS
partners and customers can access the private portal. Tomorrow, however,
Arbor will be making available a web services-based ATLAS subscription
service that can be pulled directly into pre-existing security
offerings. If you'd like to be kept apprised of this future Arbor
product offering, or If your interest is of another nature, please reply
with a brief description of what you're looking to accomplish, and a
good time next week when we can chat further.
>>>
>>> Best regards,
>>>
>>> Sunil James
>>> Product Manager
>>>
>>> 
>>> The ATLAS Initiative | [EMAIL PROTECTED]
>>> Arbor Networks Inc. | http://www.arbor.net
>>> 734.327. work | 734.327.9048 fax
>>> PGP KeyID: 0x99A512EB
>>> 
>> I was looking to utilize some of the host based information Atlas
gathers in order to automatically block these hosts via firewalls and
IDS/IPS equipment.
>>
>> --
>> J. Oquendo
>> http://pgp.mit.edu:11371/pks/lookup?op=get&search=0x1383A743
>> echo infiltrated.net|sed 's/^/sil@/g'
>> "Wise men talk because they have something to say;
>> fools, because they have to say something." -- Plato
>>
>>
>
I'm looking to do this so I can return an open source tool for anyone
looking for something similar.

// End snip

> As for "access-list oneliners", if you want to see a router melt down,
> go ahead and apply an ACL to block that 2 million packets per second,
> 2Gb/s DDoS heading towards your customer.  Let us know how that works
> out for ya, OK?

You missed the point where I rambled on about having NSP's contact their
downstreams and work with them to mitigate things to a point so where it
never gets there. If all the big players did that, AT&T, Verizon, BT,
etc., do you think there would be a such thing as a botnet.

As for the rest of your counterpoints, well taken however I go back to mine:


>
> It's easy to be a little stub ISP or better yet, an end-user and start
> pointing the finger screaming and yelling about what others have been
> doing.  Come back and talk to me when your smallest network drain is
> OC48 and you're connecting pops with multiple OC192 links.
>
> There is a lot going on in the shadows to combat botnets and other
> miscreant activities that most folks don't have credentials to know about.
>
>
> ~John

engineers will get thei

Re: [botnets] Why ISP's and NSP's Love Botnets

[Paul Ferguson]

To report a botnet PRIVATELY please email: [EMAIL PROTECTED]
--
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1

- -- John Fraizer <[EMAIL PROTECTED]> wrote:

>There is a lot going on in the shadows to combat botnets and other
>miscreant activities that most folks don't have credentials to know
>>about.  

Go get 'em, John. :-)

- - ferg

-BEGIN PGP SIGNATURE-
Version: PGP Desktop 9.6.3 (Build 3017)

wj8DBQFG9BQmq1pz9mNUZTMRArRnAKC/MH4lYyqcXFRaUDRl181VTySt5ACfTFx2
wNF9aiNQDql1olvtjgU8yXE=
=Yoks
-END PGP SIGNATURE-

--
"Fergie", a.k.a. Paul Ferguson
 Engineering Architecture for the Internet
 fergdawg(at)netzero.net
 ferg's tech blog: http://fergdawg.blogspot.com/

___
To report a botnet PRIVATELY please email: [EMAIL PROTECTED]
All list and server information are public and available to law enforcement 
upon request.
http://www.whitestar.linuxbox.org/mailman/listinfo/botnets

Re: [botnets] Why ISP's and NSP's Love Botnets

[John Fraizer]

To report a botnet PRIVATELY please email: [EMAIL PROTECTED]
--
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1

J. Oquendo wrote:

> 
> 
> 
> http://www.infiltrated.net/?p=29
> 
> Biased... In all honesty I don't believe so
> 

OK.  It didn't take long to realize that the author really doesn't have
much of a grasp on the transit provider business model works.

They start out trying to impress us with the following experience:

"I’d like to say I’ve been around the block for a couple of years now.
Having worked at an ISP, MSP, NSP and now V(oIP)SP..."

Wow.  Can I join in?  I founded and worked at the same NSP for 10 years
prior to accepting my current position as the senior engineer at another
large NSP.  I am the author of the Multi-Router Looking Glass (MRLG)
code used by 1000's of providers, not to mention many RIRs. I designed
the layer-2 protocol, the routing architecture, the encryption scheme
and the compression algorithms used in the space communications platform
deployed by DHS.


Next, we get the feeling that someone needs to start swinging the
clue-bat at the author if based only on their lack of understanding of
how REAL bandwidth is bought and sold with the following:

"Let’s have a look at a NSP. They make their money off of ISP’s who in
turn make money off of you. With this brief explanation its obvious
NSP’s make money off of traffic with most NSP’s charging the their
customers (ISP’s or other providers, hosting, etc.) more money when they
go over their quotas. So ask yourself, let’s say AcmeNSP (hopefully
there isn’t a NSP called ACME since in this instance - I just spit out a
name), if AcmeNSP is leasing to FoobarISP and is guaranteeing them say
100 gigs of traffic per month with say $0.60 per meg over quota..."

OK. If a service provider (ISP/MSP/*SP) is buying bandwidth based on
data transferred vs raw line rate of the transport medium, there are two
words to describe that provider: "Mom & Pop".  It is just that simple.
Virtual hosting is sold by many providers based on the amount of data
transferred.  Transit bandwidth on the other hand is bought and sold
based on Mb/s or more commonly Gb/s now.  The fact that the author
thinks otherwise suggests to me that even if they have been "around the
block a couple of years", they still have their training wheels on.

The author goes on to demonstrate their lack of grasp with the following:

"How difficult would it be for AcmeNSP to instead create and send a
letter to all their clients: “We’ve recently noticed spikes in malicious
traffic and in an effort to mitigate this, we’re asking that our
customers implement the following fixes on their networks to avoid
surplus charges” with an instruction on say RFC1918 filtering or maybe
even some quick Cisco ip audit, ip cef, access-list oneliners to stop
malicious traffic from ever reaching the Internet. Its not and would
never be in a NSP’s best interest to do so. Why should AcmeNSP clean off
their network when they’re making money off of the excess bandwidth."

The overwhelming majority of malware we're seeing is not sourcing from
RFC1918 space and much of it is intelligent enough not to scan into
RFC1918 space and while I agree that RFC1918 should not ever make it
past the CPE, let alone the customer aggregation router, access-lists
are not where it's at.  The use of uRPF in strict mode on customer
facing interfaces would be a nice start though.  Strange that the author
has so much supposed experience but they leave the most easily
implemented filtering option out of their critique.

As for using ip audit and ip cef, they have their place but, any
respectable provider is going to be collecting netflow exports from
their routers and doing automated analytics on that flow information
using any one of several publicly available netflow collectors - perhaps
even augmented by a commercial solution such as the Arbor PeakFlow SP.

As for "access-list oneliners", if you want to see a router melt down,
go ahead and apply an ACL to block that 2 million packets per second,
2Gb/s DDoS heading towards your customer.  Let us know how that works
out for ya, OK?

This one torques me off: "I have 3 engineers say a CCNP, CCNA and Unix
systems administrator".  I'm so sorry.  The word "engineer" is so
overused it boggles the mind.

I'm starting to get the picture here: "a DS3 at about $6,000 for the
local loop and another $6,000 bandwidth."  OK.  A DS3? A *single* DS3 at
that?  So much for multi-homing.  So much for bandwidth.  And $6000/mo
for 45Mb/s of transit not including loop?  Someone is getting bent over
and not even kissed.  Go ahead.  Apply all of the ACLs you want you your
7204 with the NPE-100.  If you've only got a DS3 on it, it might handle
it.  Hell, the fact that you've only got a DS3 is shielding you from
99.999% of the attack traffic.  A 45Mb/s attack is going to be VERY hard
to see in the graphs on my network it's so far d

[botnets] Why ISP's and NSP's Love Botnets

[J. Oquendo]

To report a botnet PRIVATELY please email: [EMAIL PROTECTED]
--http://www.infiltrated.net/?p=29

Biased... In all honesty I don't believe so


-- 

J. Oquendo
"Excusatio non petita, accusatio manifesta"

http://pgp.mit.edu:11371/pks/lookup?op=get&search=0xF684C42E
sil . infiltrated @ net http://www.infiltrated.net



smime.p7s
Description: S/MIME Cryptographic Signature
___
To report a botnet PRIVATELY please email: [EMAIL PROTECTED]
All list and server information are public and available to law enforcement 
upon request.
http://www.whitestar.linuxbox.org/mailman/listinfo/botnets